As the saying goes, forewarned is forearmed. In the world of online security, however, it would seem the saying would be more accurate if it were forewarned should mean forearmed. Not only have the warnings about distributed denial of service attacks been seemingly endless, but so have the horror stories and headlines about the immense devastation of these attacks.
Yet as we head into a new year that will surely be packed with DDoS attacks that are unwieldy in both size and number, new research shows that a staggering percentage of companies lack DDoS protection, and an even bigger percentage are unclear on how best to combat distributed denial of service attacks. No wonder even high-profile companies like 123-Reg are getting nailed over and over again.
A distributed denial of service attack is a type of cyberattack that specializes in denial of service. These attacks use the resources of a botnet – a network of a large number of infected devices – to overwhelm a targeted website or server with malicious traffic, rendering that website or server unusable either by slowing it down or booting it offline.
DDoS attacks have been a concern for business and website owners for over 15 years, and the concern has only grown in recent years thanks to two major developments: massive IoT botnets comprised of hundreds of thousands, even millions of unsecured and infected Internet of Things devices, and DDoS-for-hire services that allow anyone to rent the services of a botnet – including IoT botnets – to launch distributed denial of service attacks at the targets of their choosing.
In the year 2017, nearly every website in existence is a potential target, and some categories of sites and businesses, including online gaming, banking, software as a service and web hosting companies, are the biggest targets of all.
Customers of the UK’s largest web hosting company 123-Reg spent 2016 in a state of frustration. Not only did customers have their fees doubled, but they paid that money only to see their services repeatedly interrupted by DDoS attacks, most notably in August and then October. If those customers were hoping for a brighter 2017, their hopes were dashed just six days in when websites and email services went down due to yet another attack.
Representatives from 123-Reg reported that they were able to restore services within an hour of the attack. For customers who have been through this multiple times before, this ‘mere’ hour of downtime was likely a cold comfort.
It would be easy to write off the 123-Reg incidents as the consequences of just one company’s neglect. Unfortunately, this unwillingness or inability to effectively protect against distributed denial of service attacks is pervasive: the 2016 Corporate IT Security Risks Survey undertaken by Kaspersky Lab found that out of 4000 businesses surveyed across 25 countries, 16% have no DDoS protection whatsoever, and 39% say they don’t know how to best combat DDoS attacks. A further 40% erroneously believe their ISP will provide the necessary protection.
Perhaps worst of all, 12% of companies surveyed indicated that they believe a small amount of downtime caused by a distributed denial of service attack wouldn’t cause a major issue for their business.
To begin with, the consequences of a DDoS attack extend far beyond downtime. Unmitigated DDoS attacks can cause damage to hardware and software. These attacks are also used as smokescreens for intrusions, allowing a hacker to gain access to sensitive data, often including customer information, financial information, or intellectual property.
Furthermore, the consequences of downtime extend far beyond mere downtime. Users being unable to access services they rely on or enjoy is bad enough, causing understandable frustration, but it becomes much worse when those users have paid for those services. Worse still is when those users have income or businesses of their own that rely on those services, such as in the case of 123-Reg.
The frustration caused by downtime is often enough to cause users to rethink what web services they’re spending their time and money on, but couple that with the mistrust bred by a company repeatedly failing to protect the best interests of its customers, and it can add up to a death knell for many organizations.
Action, not reaction
The 123-Reg distributed denial of service incidents tend to involve the company making statements on Twitter on the steps their team is taking to combat the attacks - after the attacks have taken hold and downtime has begun. Not only is this a questionable PR strategy, but it’s also a guide on how not to handle the attacks themselves.
For websites and companies that have user bases that will be impacted by downtime, these attacks should not be allowed to ever reach the network. Cloud-based, real-time DDoS detection and mitigation positioned at the peering edge will keep attack traffic from ever reaching or impacting the network, rerouting it instead to a scrubbing server while allowing legitimate traffic through unimpeded.
Ideally these measures would be implemented before a company suffers even one attack, but professional mitigation becomes even more essential when it comes to repeat attack attempts. As another famous saying sort of goes: fool me once, shame on you. Fool me more than once, shame on my lack of DDoS preparedness.